JSF and PrettyFaces - How to restrict direct xhtml requests

Asked 3/8, 2011 at 9:11 Answered 3/8, 2011 at 20:40

I'm new to JSF and PrettyFaces. So by now i found out that i can configure PrettyFaces to "forward" the request to the right .xhtml file. The problem is, that i (or a user, in case he knows my folder structure) also can request the file. This is my sample:

Files: webbapp/mypage.xhtml

I added the following lines to pretty-config.xml:

<url-mapping id="myPageId">
    <pattern value="/prettyurltomypage" />
    <view-id value="/mypage.xhtml" /> 
</url-mapping>

The PrettyFaces Filter is configured to intercept on "/". The Faces Front Controller is configured to process all ".xhtml" requests. When i request...

http://localhost:8080/myapp/prettyurltomypage

...evrything is fine. My problem is, that i can also request...

http://localhost:8080/myapp/mypage.xhtml

How can i restrict the .xhtml requests? My goal is to make jsf/server deliver the default 404 page.

My solution (so far) was to define a rewrite rule in pretty-config.xml:

<rewrite match="/mypage.xhtml" substitute="/prettyurltomypage" redirect="301" />

Is there any other (smarter) way?

Feininger answered 3/8, 2011 at 9:11 Comment(0)

It can be done by marking XHTML files as web resources in your deployment descriptor.
To do so, you may add something like this to your web.xml:

<security-constraint>
    <display-name>Restrict direct access to XHTML files</display-name>
    <web-resource-collection>
        <web-resource-name>XHTML files</web-resource-name>
        <url-pattern>*.xhtml</url-pattern>
    </web-resource-collection>
    <auth-constraint/>
</security-constraint>

If you'd like to read more about security constraints there's a brief article on Javalobby.

Puton answered 3/8, 2011 at 13:51 Comment(1)

@Christian Beikov If the entered URL matches the expression in url-pattern you'll get a HTTP 403, no matter what filter you use. As a side note I use a security constraint based solution for this in a production environment, and so far I could not access JSF pages directly. – Puton 4/8, 2011 at 0:18

Yeah, if you just want to block access to direct pages, that's probably the best way to go without using something like a custom security package - otherwise, if you just want to make sure the pages are rendered correctly. You can actually just change your faces servlet mapping to .xhtml, which means that your source will not be exposed when people access pages.

<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.faces</url-pattern>
</servlet-mapping>

If you want to do more complicated rewrite rules in order to actually lock down the pages, you could consider using a custom rewrite processor and implement the Processor interface.

http://ocpsoft.com/docs/prettyfaces/3.3.0/en-US/html_single/#inbound_rewriting.options

Custom processors have access to the HttpServletRequest and HttpServletResponse and invoke both on inbound and outbound rewrites: You can do more complicated things with this interface:

/**
 * Perform a rewrite operation on a given URL, utilizing any necessary information from the given {@link RewriteRule}
 * configuration object from which the processor was invoked.
 * 
 * @author Lincoln Baxter, III <[email protected]>
 */
public interface Processor
{
   /**
    * Process an inbound URL Rewrite request. This takes place when the request first comes in to the server and passes
    * through {@link RewriteFilter}
    */
   String processInbound(HttpServletRequest request, HttpServletResponse response, RewriteRule rule, String url);

   /**
    * Process an outbound URL Rewrite request. This takes place when a URL is passed in to
    * {@link HttpServletResponse#encodeRedirectURL(String)}, and since most frameworks ensure the call to
    * 'encodeRedirectUrl()' occurs automatically, can be assumed to occur whenever a URL would be rendered to HTML
    * output.
    */
   String processOutbound(HttpServletRequest request, HttpServletResponse response, RewriteRule rule, String url);
}

Otherwise, what you are doing will work, and until OCPSoft Rewrite https://github.com/ocpsoft/rewrite ( Who are also behind PrettyFaces ) is released, in which case you could do this pretty easily with a simple inbound rewrite rule:

package com.example;
public class ExampleConfigurationProvider extends HttpConfigurationProvider
{

   @Override
   public int priority()
   {
     return 10;
   }

   @Override
   public Configuration getConfiguration(final ServletContext context)
   {
     return ConfigurationBuilder.begin()
       .defineRule()
         .when(Direction.isInbound().and(DispatchType.isRequest()).and(Path.matches(".*\\.xhtml")).andNot(Path.matches(".*javax.faces.resource.*")))
         .perform(SendStatus.code(404));
    }
}

This Rewrite rule will block access to inbound HTTP requests on .XHTML files, while still allowing forwarded, or error, or async requests. It will also leave the JSF2 resources API in a functional state, which is not the case if you use the Java EE Security Constraint as suggested in another answer.

Hope this helps, Lincoln

Fulminate answered 3/8, 2011 at 20:40 Comment(1)

My pleasure :) Glad I could be of assistance! – Fulminate 4/8, 2011 at 14:13

See the following Issue: http://code.google.com/p/prettyfaces/issues/detail?id=116

Hope this will help you

Minestrone answered 3/8, 2011 at 13:1 Comment(2)

The security constraints will not work because a request which runs through PrettyFaces-Filter will be forwarded and in the end the request for the file is always done. The only solution i know is setting up a Filter which denys the access, but you have to be aware of the fact that resource requests will also use the defined mapping for the faces servlet. – Minestrone 3/8, 2011 at 19:16

@BCsongor I can not access anything with this security constraint. Prettyfaces is forwarding the requests to the .xhtml-files of course and because of that somewhere the files have to be called. – Minestrone 18/8, 2011 at 20:3

Recommended topics

Hot tags